GDPR and human factors studies for medical devices: Key issues for manufacturers and sponsors
EMERGO BY UL SUMMARY OF KEY POINTS:
- The European GDPR has ramifications for how medical device human factors researchers collect and manage data related to study participants, even outside of the EU.
- Human factors researchers should work with their clients (if they serve in a consulting capacity) and other third parties (e.g., vendors) to define roles and responsibilities early during study planning and develop best practices that comply with GDPR requirements.
- All participant data management decisions and rationales should be properly documented to demonstrate GDPR compliance.
Following Emergo by UL’s recent webinar on the European Union’s General Data Protection Regulation (GDPR) and human factors studies for medical devices, we examine key GDPR compliance issues human factors researchers must address to avoid steep penalties. The webinar was presented by Allison Strochlic and Alexandria Trombley, Research Director and Human Factors Specialist, respectively, at Emergo by UL’s Human Factors Research & Design (HFR&D) division, as well as two legal experts from Sidley Austin, Geraldine Scali and Kate Heinzelman.
Reflecting some key takeaways from the webinar, four high-level items human factors researchers should pay careful consideration to in terms of GDPR compliance include:
- Contractually defining responsibilities of controllers and processors early in the research process;
- Setting and documenting decisions and rationales for data collection, processing, and protection;
- Notifying study participants of their rights and seeking informed consent;
- Complying with the GDPR even if you are not based in Europe or working with European Union resident data.
Defining roles and responsibilities
Establishing contracts to clarify which party will serve as the data controller, as well as which party—or parties—will serve as the data processor(s), is a crucial early step to ensure GDPR compliance. However, defining these roles and responsibilities in accordance with GDPR requirements may not be a clear-cut process, in which case legal support might be required to make these determinations. Designating the data controller and processor roles impacts each party’s responsibilities from that point forward.
Proper documentation and rationalization pertaining to data collection and management practices are essential to comply with the GDPR. Data controllers should ensure that they properly account for all decisions regarding how they and the data processor will collect, process, and protect personal and sensitive data from and about study participants (or “data subjects” per the GDPR). Proper documentation also facilitates agreement among all stakeholders with the selected approaches.
GDPR compliance beyond Europe
Finally, human factors researchers may be wondering to what extent, if any, they should comply with the GDPR if they are not conducting studies in Europe. Even if you’re not conducting research in the EU with EU residents, you might need to comply with the GDPR. For example, if you are conducting a study in the US, but you and/or the study sponsor are offering goods and services to people in the EU, or monitoring their behavior in any way, you might be subject to the GDPR. As such, researchers might be well-served to develop best practices that comply with the GDPR for any human factors studies involving collecting and analyzing personal and sensitive data, regardless of where such activities occur.